Splunk Search

How to search syntax to exclude dhost or URL

trojan_81
Path Finder

New to Splunk here. Trying to run a search for user BLAHBLAH that does NOT contain dhost of api.drift.com
Would someone help me with the search? index=*

My search below but does not seem to be working:

index=* "BLAHBLAH" sourcetype=* dhost!="api.drift"

Raw syslog below:

Nov 26 16:40:26 QHLSTLS11 mwg: status="426/0" srcip="10.99.99.50" user="BLAHLBAH" dhost="presence.api.drift.com" urlp="443" proto="HTTPS/https" mtd="GET" urlc="Business" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="782/780/201/196" ua="Chrome77-10.0" lat="0/0/71/97" rule="Last Rule" url="https://presence.api.drift.com/ws/websocket?session_token=SFMyNTY.43QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAEzEwMzg5Ny00MTE0MTAzMjM0LTRkAAZvcmdfaWRiAAGV2WQACXNjb3BlX3NldGwAAAABbQAAAARsZWFkamQbB3VzZXJfaWRuBADCOzj1ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAE8ol55uAQ.7-xbZbLOyHODYgRuuNSrIkIupxR3MnYkslNfjSaDMZU&vsn=1.0.0"
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee
index=* user="BLAHBLAH" dhost!="*api.drift*"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...